PUT /api/entity_store/entities/bulk
Api key auth

Spaces method and path for this operation:

put /s/{space_id}/api/entity_store/entities/bulk

Refer to Spaces for more information.

Update or create many entities in Entity Store. If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute.

Query parameters

  • force boolean

    When true, allows updating protected fields.

    Default value is false.

application/json

Body Required

Schema for the updating many entities

  • entities array[object] Required

    The entities to create or update.

    Hide entities attributes Show entities attributes object

    A wrapper that pairs an entity type with the entity record to upsert.

    • record object Required

      An entity record from the Entity Store. The entity namespace is a root-level field in the latest index, unlike source logs where it is nested under host, user, or service.

      One of:
      Security_Entity_Analytics_API_UserEntity object Security_Entity_Analytics_API_HostEntity object Security_Entity_Analytics_API_ServiceEntity object Security_Entity_Analytics_API_GenericEntity object
    • type string Required

      The type of entity.

      Values are user, host, service, or generic.

Responses

  • 200

    Entities updated or created

  • 403

    Operation on a restricted field

  • 503

    Operation on an uninitialized Engine or in a cluster without CRUD API Enabled

PUT /api/entity_store/entities/bulk 
curl \
 --request PUT 'https://<KIBANA_URL>/api/entity_store/entities/bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"entities":[{"record":{"@timestamp":"2026-05-04T09:42:00Z","asset":{"business_unit":"string","criticality":"low_impact","environment":"string","id":"string","model":"string","name":"string","owner":"string","serial_number":"string","vendor":"string"},"entity":{"attributes":{"asset":true,"managed":true,"mfa_enabled":true,"privileged":true},"behaviors":{"brute_force_victim":true,"new_country_login":true,"used_usb_device":true},"EngineMetadata":{"Type":"string"},"id":"arn:aws:iam::123456789012:user/jane.doe","lifecycle":{"first_seen":"2026-05-04T09:42:00Z","last_activity":"2026-05-04T09:42:00Z","last_seen":"2026-05-04T09:42:00Z"},"name":"jane.doe","relationships":{"accessed_frequently_by":["string"],"accesses_frequently":["string"],"accesses_infrequently":["string"],"communicates_with":["string"],"dependent_of":["string"],"depends_on":["string"],"owned_by":["string"],"owns":["string"],"supervised_by":["string"],"supervises":["string"]},"risk":{"calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0},"source":"string","sub_type":"string","type":"user"},"event":{"ingested":"2026-05-04T09:42:00Z"},"user":{"domain":["string"],"email":["string"],"full_name":["string"],"hash":["string"],"id":["string"],"name":"string","risk":{"@timestamp":"2017-07-21T17:32:28Z","calculated_level":"Unknown","calculated_score":42.0,"calculated_score_norm":42.0,"calculation_run_id":"string","category_1_count":42,"category_1_score":42.0,"category_2_count":42,"category_2_score":42.0,"criticality_level":"low_impact","criticality_modifier":42.0,"id_field":"host.name","id_value":"example.host","inputs":[{"category":"category_1","contribution_score":42.0,"description":"Generated from Detection Engine Rule: Malware Prevention Alert","entity_id":"string","id":"91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c","index":".internal.alerts-security.alerts-default-000001","risk_score":42.0,"timestamp":"2017-07-21T17:32:28Z"}],"modifiers":[{"contribution":42.0,"metadata":{},"modifier_value":42.0,"subtype":"string","type":"string"}],"notes":["string"],"related_entities":[{"entity_id":"string","relationship_type":"string"}],"score_type":"base"},"roles":["string"]}},"type":"user"}]}'